UK businesses “struggling” with requests for personal information in GDPR era

One year on from the European Union’s General Data Protection Regulation (GDPR) coming into effect, a new study suggests that many UK businesses are struggling to process requests from customers who are exercising their right to access the personal information stored about them. Of the 37 businesses evaluated – in the main large financial services organisations, utilities and telcos – around one third were found to be non-compliant, with five overshooting the time limit of one month that’s specified by the GDPR.

Among the other reasons for non-compliance were businesses including personal information about someone else within the data that was supplied, providing information in an electronic format that was difficult to access and incomprehensible when opened and failing to complete the request at all due to systems or process failures.

“The overall picture painted by the study is that even after a year, many businesses – including some major global brands – still do not have efficient systems in place to manage GDPR information requests from their customers,” said Lynda Kershaw of Macro 4 (a software division of UNICOM Global which conducted the detailed study). “In many cases, the customer service agents we spoke to didn’t immediately understand what they were being asked for or how to respond. Nearly half of the businesses came back to the customer with multiple follow-up queries for more information or clarification before they could process the information request. Three organisations came back more than three times.”

Macro 4 evaluated how 37 businesses* that operate in the UK responded to data subject access requests (DSARs) made during April this year. The sample consisted of financial services companies (17), utilities and telecommunications providers (7) and smaller numbers from a variety of other sectors (including well-known e-commerce businesses, loyalty card providers, hotels and leisure services companies). 

Nearly a third of businesses non-compliant

Of the 12 organisations that were not fully compliant in responding to the DSARs, five took longer than the permitted one calendar month to send the personal information. One said they would respond within 40 days, so giving themselves more time than is stipulated by the GDPR.

Two businesses included personal information about another individual (in one case the e-mail address, National Insurance number and mobile phone number of the customer’s partner), so breaching that person’s right to privacy. Three came back with very scant and incomplete information in response to the request. One supplied information in an electronic format that’s not commonly used (and which was incomprehensible once the customer finally managed to open it) and another provided rows and rows of text which were impossible to decipher. 

Customer-facing staff still in the dark

In fewer than half of the cases did the customer service agent know exactly how to respond when a customer asked to make ‘a DSAR to find out what personal data was being held about them. For 22 of the contacts that were made, the agent was unsure of how to deal with a DSAR and needed to check with a colleague or look it up on their system. One agent appeared knowledgeable at the time, but the request was subsequently lost from the system.

A related issue was a lack of knowledge about how long a request would take to process. A number of front line staff were overly optimistic about this. Several quoted a few days to a couple of weeks, whereas follow-up correspondence invariably stated a longer turnaround time (or it simply did take longer than had been promised). 

Repeated call-backs and follow-ups required

Around half of the businesses in the sample didn’t initially capture all the information needed from the customer in order to process the request in one go. They made contact with the customer again by phone, e-mail or letter to request additional information or verification not mentioned on the first call.

Eight businesses had to make one such follow-up, six made two and one made three follow-ups. Three organisations had to follow up more than three times. 

Limiting the scope of the information request

Around 40% of the businesses asked customers to specify exactly what personal information was required (rather than sending all personal information they held about the individual). Some organisations asked for this type of clarification multiple times.

“It really felt like some organisations were trying to make the request easier to handle by reducing the amount of data they would need to collate,” said Kershaw. “If you don’t know what personal information a company is holding on you, how can you be specific about what they should send you? One notable area where customers were expected to jump through hoops was voice recordings. Sometimes they were asked to provide precise dates and times of calls, or details of whom they spoke to, for example. In most cases that just isn’t practical.”

Information supplied in a range of formats

Fewer than half of the businesses in the sample said they could make the personal information available electronically, despite the GDPR advising that ‘where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data’.

The information that was supplied electronically was delivered in a range of formats and included screenshots of CRM and transactional systems, PDFs, Microsoft Word documents and Excel spreadsheets. Call recordings were supplied as WAV files and sometimes on CDs. Often, the information was password protected and sent via a temporary link.

The information supplied, both on paper and electronically, was variable in quantity and quality. In some cases an explanation of the purposes of the data processing was included together with the meanings of abbreviations and system codes, but in other cases the information was in a raw format and unintelligible to the customer.

The Information Commissioner’s Office’s Guidelines state that information responding to DSARs should be provided in a ‘commonly used electronic format’ and ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language’. 

*Macro 4 contacted the 37 businesses by telephone (or, if required by the organisation, by chat or by completing an online form)

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts